How to Remove Aes_ni_0day Ransomware

How to Remove Aes_ni_0day Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

The AES-the NI the SPECIAL the VERSION: the NSA EXPLOIT EDITION INTRO: the If you are reading IT, your server WAS Attacked with the NSA exploits. Make World Safe Again. SORRY! Your files are encrypted. File contents are encrypted with random key ( AES- 256 bit; ECB mode). Random key is encrypted with RSA public key ( 2048 bit). We STRONGLY RECOMMEND you NOT to use any “decryption tools”. These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. Order to the get with In the private key, the write found here: 0xc030@protonmail.ch 0xc030@tuta.io aes-ni@scryptmail.com IMPORTANT: with In some cases of malware Researchers CAN Our block an e-mails. If you did not receive any answer on e-mail in 48 hours, please do not panic and write to BitMsg (https://bitmsg.me) address: BM-2cVgoJS8HPMkjzgDMVNAGg5TG3bb1TcfhN or create topic on https://www.bleepingcomputer.com / and we will find you there. If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. To refer the this MUST You ID in your message: RECOVERI2 # – ****** Also you MUST the send all “.key.aes_ni_0day” files is from the C: \ the ProgramData the if there are the any. ===== # aes-ni ransomware # =====


You must have heard of these types of viruses that encrypt your files and ask for a giant amount of money to restore them. The industry calls them ransomware. You can see that this name is not very imaginative, yet, quite descriptive. Well, Aes_ni_0day is one of those dreaded ransomware viruses. This pest sneaked into your computer and wreaked havoc on it. The Aes_ni_0day ransomware works like a typical member of its family. First, it will scan your system, detect all target files and encrypt them. Then, it will announce its presence. To do so, it will display a ransom note. This arrogant virus is demanding money for your own files. It can lock all sorts of files: documents, pictures, presentation, archives, etc. You will be able to see the icons of your documents, yet, you won’t be able to open or use them. Luckily, the virus won’t encrypt files that are essential for your system. Hence, your computer will be somewhat usable. Don’t bother to create new files. Aes_ni_0day will encrypt them too. You must accept the situation. Neither paying the ransom nor waiting for a miracle will remove this pest and unlock your files. Keep reading to find more information about this parasite.

How did I get infected with?

There are many ways for a ransomware to travel the web. Spam emails, torrents and corrupted links are some of the most frequently used ones. Yet, the most common distribution technique, undoubtedly, is via spam emails. How many times have you heard not to open emails from strangers? Those are not old wives’ tales. Even today, hackers use emails to spread some of the most dangerous computer viruses. When you receive an email from a stranger, check their contacts before even opening the letter itself. You can do so by entering the email address into some search engine. If it was used for shady business, someone must have complained online. Yet, this method is not flawless. New emails are created all the time. If you are a part of the first wave of spam emails, there may not be evidence online yet. Be vigilant and doubting. Only your caution can spare you troubles in the future. We can give you one more tip. If you receive a letter from and organization or company, make a quick online research. Visit their official website. There, under the contact section, you will be able to find their authorized email address. Compare it with the one you have received a message from. If the two addresses don’t match, delete the spam email immediately. Your computer security is your responsibility, and yours only. If it is necessary, walk an extra mile. Don’t leave it to chance.

remove Aes_ni_0day

Why is Aes_ni_0day dangerous?

Even the name of Aes_ni_0day implies how strong the virus’ encryption is. The ransomware uses the AES encrypting algorithm to lock your files. This encryption is commonly used by ransomware viruses for it is very complex. The Aes_ni_0day ransomware is newly found. Thus, too, hint that most of the anti-virus programs are useless against it. Yet, there is a silver lining. You may be able to restore your files from shadow copies or system backups. The chances are not great, yet, they do exist. However, before you take any actions, remove the Aes_ni_0day ransomware. If you skip this step, your newly restored files will be re-encrypted. Apart from all these issues, Aes_ni_0day has some more trivial aspects. It is working in the background. You can’t “see” it, however, it is using your computer’s resources. You may have noticed a general slowness of your PC. This is due to the virus’ heavy RAM and CPU usage. Furthermore, Aes_ni_0day will decrease the free space on your HDD. The virus can cause some older machines to freeze and crash frequently. Therefore, you must make up your mind quickly. Take actions against this threat! We strongly recommend against paying the ransom. Keep in mind that you are dealing with cyber criminals. You cannot expect them to play fair. You can never win against them. There are cases when the victims paid the demanded ransom but did not receive a working key. Furthermore, your money will be used to fund the crooks’ malicious business and to further develop their malicious programs. Don’t become their sponsor!

Aes_ni_0day Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Aes_ni_0day Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Aes_ni_0day encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Aes_ni_0day encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment